Echo (“we,” “us,” or “our”) provides AI-powered response card scanning for churches, ministries, and nonprofits. This Privacy Policy explains how we collect, use, store, and protect personal information when you use the Echo platform at echoocr.com (the “Service”).
We take the protection of your congregation’s personal data seriously. Many of the individuals whose information flows through Echo — first-time guests, prayer request submitters, families — have entrusted that data to your church. We treat it with the same care you do.
1. Information We Collect
a) Account Information
When you create an Echo account, we collect your display name, email address, and a password (stored as a bcrypt hash — we never store passwords in plain text). If you sign in via single sign-on (SSO/OIDC), we receive a unique identifier and email from your identity provider.
b) Organization & Team Data
Organization administrators provide an organization name, type (e.g., church), timezone, and optionally allowed email domains for auto-join. Team member records include the member’s role (owner, admin, editor, reviewer, or viewer) and the date they joined.
c) Scanned Card Data (Congregation PII)
This is the most sensitive category. When your team scans or uploads response cards, our AI extracts fields that may include:
- Full name, gender, date of birth, marital status
- Email address, cell phone, home phone
- Mailing address (street, apartment, city, state, ZIP)
- Prayer requests (including confidential flags)
- Spiritual decisions and next steps (e.g., baptism, salvation)
- Visit type, attendance history, campus preferences
- How the visitor heard about your church
- Service time attended, message topics of interest
We also store the original scanned images (PDF, JPEG, PNG) and processed front/back card images in encrypted object storage.
d) Usage & Technical Data
We collect standard server logs including IP addresses, browser user-agent strings, page views, and timestamps. We use this data for security monitoring, performance optimization, and debugging — not for advertising.
2. How We Use Your Information
We use the information we collect to:
- Provide the Service — process scanned cards with AI OCR, display results in your dashboard, and sync data to your integrations
- Authenticate and authorize — verify your identity, manage team roles, and enforce permissions
- Send transactional emails — email verification, team invitations, and service notices (we do not send marketing emails)
- Maintain and improve the Service — fix bugs, monitor performance, and develop new features
- Enforce our Terms — detect abuse and protect the security of the platform
We never sell personal data. We do not use your congregation’s scanned card data to train AI models, build advertising profiles, or for any purpose other than providing the Service to your organization.
3. AI Processing & OCR
Echo uses vision AI models to extract text and structured data from scanned card images. When a card is processed:
- The card image is sent to an AI model provider (by default, OpenAI via the Vercel AI Gateway) along with a structured extraction prompt
- The AI returns structured field data (name, email, prayer requests, etc.) which is stored in your organization’s database
- Self-hosted organizations may configure a local Ollama instance for fully on-premises processing, meaning card images never leave your network
We use OpenAI’s API, which, per their enterprise data use policies, does not use API inputs to train their models. The Vercel AI Gateway acts as a routing proxy and does not persistently store your image data.
4. Third-Party Integrations
Echo can send scanned card data to external services that you explicitly configure. No data is sent to third parties unless your organization enables an integration. Available integrations include:
| Integration | Data Sent |
|---|---|
| Planning Center | Name, email, phone, gender — used to match or create people records and manage list membership |
| Google Sheets | Mapped card fields appended as rows to your specified spreadsheet |
| Monday.com | Mapped card fields as board item columns; optionally card images as file attachments |
| Airtable | Mapped card fields as Airtable record fields |
| Webhooks | Full card data as JSON payload to your specified URL, with optional HMAC-SHA256 signature verification |
| CSV Export | Downloadable file generated locally — no data sent to external servers |
Each integration uses your own credentials (OAuth tokens, API keys, or personal access tokens) and field mappings that you control. You can disable any integration at any time.
5. Subprocessors
We use the following third-party services to operate Echo:
| Provider | Purpose | Data Processed |
|---|---|---|
| Supabase | Managed PostgreSQL database and S3-compatible object storage | All application data, card images, and uploaded files |
| Vercel | Application hosting, edge network, and AI Gateway | HTTP requests, server-side rendering, AI API routing |
| OpenAI | AI vision model for OCR extraction (via Vercel AI Gateway) | Card images and extraction prompts (not used for model training) |
| Upstash | QStash message queue for async job processing | Job IDs and processing metadata (no card PII) |
| Brevo | Transactional email delivery | Recipient email addresses and email content (verification links, invitations) |
6. Data Storage & Security
We implement multiple layers of security to protect your data:
- Encryption in transit — all connections use TLS/HTTPS
- Encryption at rest — database and object storage are encrypted at rest via our infrastructure providers (Supabase, AWS)
- Password security — passwords are hashed using bcrypt with a cost factor of 12; we never store or log plain-text passwords
- Role-based access control — five permission tiers (owner, admin, editor, reviewer, viewer) restrict who can view, edit, delete, and export card data within your organization
- Invitation-only teams — team members must be explicitly invited by an admin or owner; optional domain-based auto-join
- Email verification — required to confirm account ownership
- API key security — API keys are stored as hashes with only a short prefix visible; keys can be scoped with specific permissions and expiration dates
- Webhook signatures — outbound webhook payloads can be signed with HMAC-SHA256 so you can verify authenticity
- Job queue verification — async processing jobs verify Upstash cryptographic signatures before execution
7. Data Retention & Deletion
Configurable Retention
Organization administrators can configure retention periods for:
- Source uploads (original PDFs/images) — default 30 days
- Card images (processed front/back images) — default 180 days
When retention periods expire, files are permanently deleted from object storage. The structured data extracted from cards (names, contact info, etc.) is retained in the database until explicitly deleted.
Manual Deletion
Organization admins and owners can delete individual cards at any time. Deletion removes the database record and all associated images from object storage permanently. Deleted data cannot be recovered.
Account Deletion
To request deletion of your account and all associated data, please contact us at support@stillwell.cloud. We will process deletion requests within 30 days.
8. Your Rights
Depending on your jurisdiction, you may have the right to:
- Access — request a copy of the personal data we hold about you
- Correction — request correction of inaccurate data
- Deletion — request deletion of your personal data
- Data portability — export your data via CSV export or the API
- Restriction — request that we limit processing of your data
- Objection — object to processing of your data for certain purposes
For scanned card data (congregation PII), your church or organization is the data controller. Echo acts as a data processor on behalf of your organization. Individuals whose data appears on scanned cards should direct access, correction, or deletion requests to the church or organization that collected their information.
To exercise your rights regarding your Echo account, contact us at support@stillwell.cloud.
9. Children’s Privacy
Echo is not directed at children under 13. We do not knowingly collect personal information from children under 13. Scanned response cards may occasionally contain information about minors (e.g., children’s ministry forms). This data is processed under the authority and responsibility of the organization that collected it.
If you believe we have inadvertently collected information from a child under 13 without appropriate consent, please contact us immediately at support@stillwell.cloud.
10. International Data
Echo’s infrastructure is hosted in the United States. If you access the Service from outside the United States, your data will be transferred to and processed in the United States. By using the Service, you consent to this transfer.
11. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by posting a prominent notice on the Service or sending you an email. Your continued use of the Service after changes take effect constitutes acceptance of the revised policy.
12. Contact Us
If you have questions about this Privacy Policy or our data practices, please contact us:
- Email: support@stillwell.cloud
- General support: support@stillwell.cloud